Clarification on Apache Tribes setup docs

[Arumugam, Santhosh]

Hey there,

We are planning to implement Apache Tribes(on our Tomcat-7) in our network for 
server to server communication.

I am looking at https://tomcat.apache.org/tomcat-7.0-doc/tribes/setup.html to 
learn more about Apache Tribes, but seems documentation is not yet published. 
Please correct me if am looking at wrong place or is there anything material 
available to learn more about it

Appreciate your help on this!

Thanks & Regards,
Santhosh A

Tomcat behind IIS on windows 2012

[richard]

If I want to have IIS act as an intermediary between Tomcat and the 
outside world, if I've understood it correctly, there seem to be two 
choices.


Either add something called HttpPlatformHandler into IIS

https://www.iis.net/downloads/microsoft/httpplatformhandler

or, use the Apache Tomcat Connectors

https://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win64/jk-1.2.30/ia64/

Is either considered best practice, to be preferred over the other?


Regards
Richard


ps: I posted this same question over at javaranch a week or so back, but 
with no responses as yet. I'll copy any answer here over to that forum.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: intermittent connectivity failure under ssl

[Alex O'Ree]

Remy, what more information would you like? Any more info on the issue that
you are referencing?

On Fri, Mar 2, 2018 at 10:56 AM, Rémy Maucherat  wrote:

> On Fri, Mar 2, 2018 at 4:19 PM, Alex O'Ree  wrote:
>
> > Ran into a strange problem, not too sure what the problem is. Basically,
> > I'm getting intermittent connectivity from a http client to tomcat but
> only
> > through SSL using the Http11NioProtocol. Some http requests go through,
> > others fail with the stack trace below. Usually, restarting tomcat fixes
> > it, but it appears to be random and unpredictable. This is a bit of a
> major
> > issue for me so any help is appreciated.
> >
> > Any pointers for how to troubleshoot this? Running tomcat 8.5.28.
> >
> > There's no tomcat logs to indicate that there's a problem. The following
> is
> > logged on the client side:
> >
> > Caused by: java.net.SocketException: SocketException invoking
> > https://localhost:8443/myproject/services/Endpoint1: Unexpected end of
> > file from server
> >
> > 
> >
> > Caused by: java.net.SocketException: Unexpected end of file from server
> > at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.
> > java:792)
> > at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
> > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> > HttpURLConnection.java:1536)
> > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> > HttpURLConnection.java:1441)
> > at java.net.HttpURLConnection.getResponseCode(
> > HttpURLConnection.java:480)
> > at sun.net.www.protocol.https.HttpsURLConnectionImpl.
> > getResponseCode(HttpsURLConnectionImpl.java:338)
> > at org.apache.cxf.transport.http.URLConnectionHTTPConduit$
> > URLConnectionWrappedOutputStream.getResponseCode(
> > URLConnectionHTTPConduit.java:266)
> > at org.apache.cxf.transport.http.HTTPConduit$
> WrappedOutputStream.
> > handleResponseInternal(HTTPConduit.java:1543)
> > at org.apache.cxf.transport.http.HTTPConduit$
> WrappedOutputStream.
> > handleResponse(HTTPConduit.java:1513)
> > at org.apache.cxf.transport.http.HTTPConduit$
> > WrappedOutputStream.close(HTTPConduit.java:1318)
> > ... 46 more
> >
>
> It's impossible to say without more information, but this could look like
> an issue that is fixed in the next build.
>
> Rémy
>

RE: tomcat 8.5.28

[Cheltenham, Chris]

Thank You Sir.

I will go through the wiki and try it out.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, March 2, 2018 11:55 AM
To: users@tomcat.apache.org
Subject: Re: tomcat 8.5.28

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Olaf,

On 3/2/18 9:30 AM, Olaf Kock wrote:
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM To: 'Tomcat Users List'
>>  Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the non-root
>> user to port 8443.
>>
>> What is the best way to reroute 8443 through 443? There are several
>> options. Everything is set up at send to port 443 so I need to
>> reroute 8443 in and out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?" -> "It depends"
>
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you have
> different options. Are you familiar with them - as you mention that
> there are many?
>
> You can * use iptables redirection, * have a
> proxy/webserver/loadbalancer in front, * enable unprivileged binding
> to the port

You can also use jsvc which can:

* bind to privileged ports, then drop privileges
* monitor and restart dead Tomcat processes
* send a signal to rotate logs (like stdout!)

I use a reverse-proxy for everything (and I'd recommend that everyone doing 
anything in the "real world" do the same), so I don't need such things, but 
I think I'd probably want to use jsvc for this purpose because it's fairly 
self-contained PLUS you get the auto-restart capabilities should you want 
them.

> As we were discussing documentation in another thread these days:
> I've expected to find a solution to your question in the FAQ and
> wanted to link to it - but didn't find any entry there. There's a
> patch to go on my list, with no ETA though. Maybe a side-task during
> that Manchester Tomcat training.

It's in the Wiki, not the user's guide:
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_priv
ileges.3F

It doesn't even come up in Google, so it's no wonder that nobody can find 
it.

We should probably roll some of this stuff into the user's guide so it's in 
a better place. The Wiki is ... not a great place to put things IMO.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqZgdgACgkQHPApP6U8
pFiGERAAoE7DTJUDhCMMTVT12j1tR5TS/0+TDltXlaT/CWFJ1ulCv2l8Oix4A7RH
oFALw0gYjZg9/WPZd73CEtN5dfKHSffll18mJcSIpaJ2uf2sx+nbcqMpGOxrkQ5x
osM9Vj/X7QTAXfBABwffAzw12kw5QpfwdxfapQS9KkK2U4gvtIB1oo1WCBL+yziA
rKA3mA6IBKIGWk8u9BhbHJeTnmL4mPaIZqLep+M5CgOykfAu7TYdvMViovOxWCTv
o5kB6xsuhZ88zdmkGJ2BGFokl0UzKtcYic3IN/s4KqcU2fM+2UJrSSHocpxW3Nfw
ppmHGp4XaKW6oAFu4VjDDnWjnP6nDs5lH1VLmIySDm8B7nXpqbC7ML/rBde1VFMZ
jVbUojbxJ+jIpXs6jg6nxTCRh/PssvWEQ/3e0Ank+xfJ3s4ay+kXYlP8M4IL8VFV
M8tsXY8pAmknh9BnGV2fz0R49+Ir8aJEBRrYm1TLKnC8L9O/hqqlOEftqikYajvD
qJlYKCmeZfDYdFkKR1TcgcC1kOpZkgdkSCc77NEBM0+y5ln/shDUCX5MkxrHe/zE
leqntUfdWVhsfeG84MR5zmFbcWcNYNVov6A/7cW6Sb5Rlv7PWIcruyTgTEIotqwd
DPFNk54910K3yy4UAyDgBgkiZTqz8k2eWx4W7FGaaMD2c9xCq50=
=9WCp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: where to find org.apache.catalina.filters.RemoteAddrFilter?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Coty,

On 3/1/18 3:43 PM, Coty Sutherland wrote:
> On Thu, Mar 1, 2018 at 3:35 PM, Zari Ladak 
> wrote:
>> Hi All,
>> 
>> I would like to use the
>> org.apache.catalina.filters.RemoteAddrFilter filter as part of my
>> web.xml settings. I am just curious to know which jar file has
>> that class.
> 
> You can find which paths are included in which jars from the
> build.xml (though it takes a bit of knowledge about what ant is
> doing), or a quick grep on the jar files in lib:
> 
> $ grep RemoteAddrFilter lib/* Binary file lib/catalina.jar matches

I like this little gem:

$ for jar in $CATALINA_HOME/lib/*.jar ;
  do echo "$jar" ;
  unzip -v "$jar" | grep RemoteAddrFilter" ;
  done

This will print a list of all the JARs (I'm sure there is a way to
suppress the ones that don't match) and then, underneath the one that
matches, you'll see the file:

/apache-tomcat-8.0.46/lib/annotations-api.jar
/apache-tomcat-8.0.46/lib/catalina-ant.jar
/apache-tomcat-8.0.46/lib/catalina-ha.jar
/apache-tomcat-8.0.46/lib/catalina-storeconfig.jar
/apache-tomcat-8.0.46/lib/catalina-tribes.jar
/apache-tomcat-8.0.46/lib/catalina.jar
1935  Defl:N  740  62% 08-10-2017 13:11 cf250a0f
org/apache/catalina/filters/RemoteAddrFilter.class
/apache-tomcat-8.0.46/lib/ecj-4.6.3.jar
/apache-tomcat-8.0.46/lib/el-api.jar
...

So you can see that catalina.jar contains the file.

I like this better just in case the filename has been mangled in some
way inside of the JAR file (even though it shouldn't be).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqZiE4ACgkQHPApP6U8
pFhIURAAv4Enj7MRHMwS924fy1Me9iPt84bv/51KBt+CM1/Ihj7HX7r9ANRx04J2
p2OJ8TNVeHsDcllUuyaXpP+Sz9DfXct5WENOf6K7Ka+NvrcPSRMGYL3M9kJbwUPj
V/t91W19SzxFK2vX5cKe4mv8X8/oyBUDLYE57XxIJZWlkWuj49sdTngUO5Z/X+as
hK/QkZRkW/0GkMwoDqeITWTYUMIhcSISC6/7QVeNP7k+LS9noWlP57PUsSfY93RU
BeaF5cd2Muq5w5jymEiTy+LICx8FPxpP5WxIDyGsMEY03UNf14WUAPczj/Sbn5hg
tH2SFmiP0i8NbjTeqBjqbcpoHctBn11B1ggu7hk3HCpzw+aHNmZCrOFazWWzyKl6
0iGLOj7h5DKGT7TLbeOVmdB8kxILpmG24yKPKeUNgefVMvrLjIvWZDo3IsHuLp/g
zNj+YDaCQjhIIBQoLCDjHOtPRZR7AfTOG6uxGBgomCabBjl0tLmQwMzmaosdWM0l
b5VPNfhIpnt/PXeJEUF177cgfXPGHRNM+C/hO4MCRIrUeKlYTRQEPoYVmP57AeYq
DNQ3d4yp+krp+7N1fAMXuJ32PHTCdJNeHB8l9BmCNuoNVWrxpMe6rHBGwlCwy+nl
xLLHG+OKXKnIsxzl+nOZYl79UzNMRQFlV1mwV13N8V60o2OT52E=
=OKIw
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Running Tomcat 9 using OpenJDK 10

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 3/2/18 11:20 AM, Cheltenham, Chris wrote:
> Yes , I was able to start up tomcat 9.0.4 with the corresponding
> java. One thing that was annoying was that
> $JAVA_HOME/jre/lib/security dorectory has changes to
> $JAVA_HOME/lib/security.
> 
> Not a big deal but if you are using certs it is.

I'm curious ... why is this a big deal? Do you typically modify your
JRE's files after installation?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqZhzcACgkQHPApP6U8
pFhzkw/+PLdg/e03X7iLjrnUQ+48IcWWE0tJfgHRIIDKy8OOQ8RiY4watZBUjehk
aMAn+HGd99hSJSGvf+fji9Lh3m7ZXw6VzKs0ZIHZOKLy2gi+zds8p9DVH/kOxKMI
mohDKGG5oIIjnylTu87iXRsQt8r3m/HzPvHrlgPsqg4SRVONOAlVC5D9DT/WARFN
XcadcQuK9hmJa3SVyXX8vcrxAYfrezahRGm4VJchv9R3V7ViOLvvdmBU5XKQX6hT
vSYr7VJcO9Y0EhM/hYaZuF7ieg8Y+QhNF5vFTAtdPE0Aw6FtzZlfhltlvVyR+zjv
MjrupbJXYq7IH8cARGVD9UhZs/XDdDBBF39xppHq0T1QNn08jxCHKkffURhOyv6O
Gfgbx6RZHWcmSGOuzSi4vGRcEQrccNdgLPgYUIYToYHzNcob3MF6M/QC8HiP0hY8
6Y3nt/oizZECHoMpBX+MxH8G9bQ0vI5UpHqgpevaF5UUk5Hoa+ZE2GDlQweQe2mj
DaYn/PopvbR0rJqoF0xBHlEatnuulzcSnoMIYcLCymBdamHq+POf77Hnm0CIEm9d
rAU6rWBX0oUCCv0t7YWEf8qUgSMWxW13dVkBiAUAQz6eWlqNwp7VxFSY2rhh4vbG
YmvbVaLMp1cDgHAKDM2sswsxeDUcINoO9J92A/uCVReTtLfXSqI=
=yZmm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Want help understanding missing piece in architecture

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cris,

On 3/2/18 11:46 AM, Berneburg, Cris J. - US wrote:
> There's a concept I'm trying to wrap my brain around.  It's
> similar to MVC, separating responsibilities between the display
> and model/controller layers.  In terms of coding, I know how to
> make that happen.  However, in terms of server architecture, I do
> not.
> 
> For the purposes of semantics, please assume "server" refers to 
> either a physical box and/or software service, application, 
> container, etc.
> 
> Let's say we have a database server and Tomcat application server. 
> The web application uses JSP.  The app is configured to connect to 
> the DB.  With this configuration, all the communication with the
> DB and page rendering occurs within the Tomcat application.
> 
> Now let's say that we want the Tomcat application to only do 
> rendering.  It connects to a different server, X, and no longer to 
> the DB.  The X server connects to the DB.  Requests and data flow 
> between the Tomcat app and the X server.
> 
> What is X?  Is it a web service?  Application behind a web socket? 
> What platforms support those?  Is that what the whole SOAP, xml,
> and JSON stuff is for?

Obviously, this gets into what the "appropriate" architecture is for
an application, etc. so the best anyone can do is give you *examples*
of what might be reasonable.

If you want something like this:

client -> presentation -> business -> db

Where "presentation" is "only" your JSPs and the "business" is the "X"
component you have described above, then there are many ways to
accomplish your objective.

The communication protocol is up to you, and will be affected by how
to decide to design X. If you use HTTP - a reasonable choice - then
you also need to decide what bits you'll send across that protocol.
Obvious choices are JSON or XML. SOAP is just a particular
implementation of XML-based RPC. Rest is a loose standard for using
HTTP verbs that make sense instead of having one big "do-everything"
URL where you feed-in requests via e.g. XML or JSON documents in a POST.

You could also use Websocket, but that would depend upon what the
relationship between your client (presentation) and server
(X/business) has to be. If it's request/response-oriented, then
Websocket is probably more trouble than it is worth. If maintaining a
connection over a long period of time, and either the client or server
should be able to "speak" at any time, then Websocket is probably the
right solution in that case.

Regardless of the exact implementation, I think it would reasonably be
called a "web service". Some people think that "web service means
SOAP" or "web service means ___" but I would say it's a fairly loose
term. I'd call anything that provides an HTTP/Websocket interface but
is intended to be used by *software* and not humans/web browsers
directly should be called a web service. If humans are using it, it's
called a "web site" or a "web application" IMHO.

> And why do it?  Are there any benefits to such an architecture? 
> Scaling maybe?  Support for rendering different output types (HTML
> vs Something Else)?  Theoretically I'm thinking that maybe the
> different servers could live inside different security zones, but I
> don't know if that's a valid requirement.

There are LOTS of reasons you might want to do this kind of thing.
Scaling is usually *not* one of them, because in a typical web/app/db
server setup, you can horizontally scale-out the web servers or the
app servers pretty much indefinitely, as long as the downstream
service(s) can handle the load. If you have your database running on
Chuck's iPhone, having 500 application servers isn't going to improve
the speed of your web application if it's db-heavy.

IMO the real benefit of that kind of architecture is *flexibility*.
Let's say that you have a series of low-level services all wrapped-up
inside of X. Then you have a web-layer (presentation) that talks to X
which does all the "real work". If you were just building the web
application and nothing else, it might be a waste of time to split
presentation/business into separate services/projects/whatever.

But let's say that you want to build a mobile application that isn't
just an app-wrapper around your web site? Your mobile app can then
call X directly and ignore the web/presentation parts of your "web
application". Then you can create another mobile application on
another platform, too, and re-use the same service.

You now want a desktop application to go along with those mobile apps?
No problem, call X directly. And the web version continues to provide
your web-based clients the same service they have always enjoyed.

I have seen LOTS of deployments like this, and many of them end up
using the database itself as the "X" in your setup: they write most of
their application using stored-procedures in the database, then
everyone uses JDBC (or whatever) to call the database to ask for
things to be done.

You want a 

Re: tomcat 8.5.28

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Olaf,

On 3/2/18 9:30 AM, Olaf Kock wrote:
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] 
>> Sent: Friday, March 02, 2018 9:08 AM To: 'Tomcat Users List'
>>  Subject: tomcat 8.5.28
>> 
>> Hello,
>> 
>> Has anyone set up tomcat as a non-root use?
>> 
>> I have set it up successfully however, I have to bound the
>> non-root user to port 8443.
>> 
>> What is the best way to reroute 8443 through 443? There are
>> several options. Everything is set up at send to port 443 so I
>> need to reroute 8443 in and out of 443
>> 
>> CentOS 7 by the way -
> "what is the best (TM)?" -> "It depends"
> 
> Tomcat runs well on unprivileged ports, and depending on your OS, 
> familiarity with configuring it, other infrastructure etc, you
> have different options. Are you familiar with them - as you mention
> that there are many?
> 
> You can * use iptables redirection, * have a
> proxy/webserver/loadbalancer in front, * enable unprivileged
> binding to the port

You can also use jsvc which can:

* bind to privileged ports, then drop privileges
* monitor and restart dead Tomcat processes
* send a signal to rotate logs (like stdout!)

I use a reverse-proxy for everything (and I'd recommend that everyone
doing anything in the "real world" do the same), so I don't need such
things, but I think I'd probably want to use jsvc for this purpose
because it's fairly self-contained PLUS you get the auto-restart
capabilities should you want them.

> As we were discussing documentation in another thread these days:
> I've expected to find a solution to your question in the FAQ and
> wanted to link to it - but didn't find any entry there. There's a
> patch to go on my list, with no ETA though. Maybe a side-task
> during that Manchester Tomcat training.

It's in the Wiki, not the user's guide:
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_priv
ileges.3F

It doesn't even come up in Google, so it's no wonder that nobody can
find it.

We should probably roll some of this stuff into the user's guide so
it's in a better place. The Wiki is ... not a great place to put
things IMO.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqZgdgACgkQHPApP6U8
pFiGERAAoE7DTJUDhCMMTVT12j1tR5TS/0+TDltXlaT/CWFJ1ulCv2l8Oix4A7RH
oFALw0gYjZg9/WPZd73CEtN5dfKHSffll18mJcSIpaJ2uf2sx+nbcqMpGOxrkQ5x
osM9Vj/X7QTAXfBABwffAzw12kw5QpfwdxfapQS9KkK2U4gvtIB1oo1WCBL+yziA
rKA3mA6IBKIGWk8u9BhbHJeTnmL4mPaIZqLep+M5CgOykfAu7TYdvMViovOxWCTv
o5kB6xsuhZ88zdmkGJ2BGFokl0UzKtcYic3IN/s4KqcU2fM+2UJrSSHocpxW3Nfw
ppmHGp4XaKW6oAFu4VjDDnWjnP6nDs5lH1VLmIySDm8B7nXpqbC7ML/rBde1VFMZ
jVbUojbxJ+jIpXs6jg6nxTCRh/PssvWEQ/3e0Ank+xfJ3s4ay+kXYlP8M4IL8VFV
M8tsXY8pAmknh9BnGV2fz0R49+Ir8aJEBRrYm1TLKnC8L9O/hqqlOEftqikYajvD
qJlYKCmeZfDYdFkKR1TcgcC1kOpZkgdkSCc77NEBM0+y5ln/shDUCX5MkxrHe/zE
leqntUfdWVhsfeG84MR5zmFbcWcNYNVov6A/7cW6Sb5Rlv7PWIcruyTgTEIotqwd
DPFNk54910K3yy4UAyDgBgkiZTqz8k2eWx4W7FGaaMD2c9xCq50=
=9WCp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[OT] Want help understanding missing piece in architecture

[Berneburg, Cris J. - US]

Hi Folks

There's a concept I'm trying to wrap my brain around.  It's similar to MVC, 
separating responsibilities between the display and model/controller layers.  
In terms of coding, I know how to make that happen.  However, in terms of 
server architecture, I do not.

For the purposes of semantics, please assume "server" refers to either a 
physical box and/or software service, application, container, etc.

Let's say we have a database server and Tomcat application server.  The web 
application uses JSP.  The app is configured to connect to the DB.  With this 
configuration, all the communication with the DB and page rendering occurs 
within the Tomcat application.

Now let's say that we want the Tomcat application to only do rendering.  It 
connects to a different server, X, and no longer to the DB.  The X server 
connects to the DB.  Requests and data flow between the Tomcat app and the X 
server.

What is X?  Is it a web service?  Application behind a web socket?  What 
platforms support those?  Is that what the whole SOAP, xml, and JSON stuff is 
for?

And why do it?  Are there any benefits to such an architecture?  Scaling maybe? 
 Support for rendering different output types (HTML vs Something Else)?  
Theoretically I'm thinking that maybe the different servers could live inside 
different security zones, but I don't know if that's a valid requirement.

Thanks for your time and patience.  :-)

--
Cris Berneburg
CACI Lead Software Engineer

RE: Running Tomcat 9 using OpenJDK 10

[Mark A. Claassen]

Thanks for the reply and the heads up.  I am controlling the apps that will be 
running under it, so that shouldn't be a problem.  I am also using the APR 
connectors, so I don't think the certs will be an issue for me either.  Now I 
just need to compile it.

Thanks again!

Mark Claassen
Senior Software Engineer

Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, IN  46601
E-mail: mailto:mclaas...@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014

Disclaimer:
The opinions provided herein do not necessarily state or reflect 
those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and 
assumes no legal liability or responsibility for the posting. 

-Original Message-
From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] 
Sent: Friday, March 2, 2018 11:20 AM
To: Tomcat Users List 
Subject: RE: Running Tomcat 9 using OpenJDK 10

Yes , I was able to start up tomcat 9.0.4 with the corresponding java.
One thing that was annoying was that $JAVA_HOME/jre/lib/security dorectory has 
changes to $JAVA_HOME/lib/security.

Not a big deal but if you are using certs it is.

Now, the applications is used did not like java 9 , so I pulled back to java 
8_161.

But that's been my brief experiences with TCAT 9 and Java 9


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 


-Original Message-
From: Mark A. Claassen [mailto:mclaas...@ocie.net]
Sent: Friday, March 2, 2018 11:03 AM
To: Tomcat Users List 
Subject: Running Tomcat 9 using OpenJDK 10

Has anyone tried running Tomcat 9 using OpenJDK 9 or 10?  I know the OpenJDK 
releases don't have all the modules  (like JavaFX) that the Oracle JDK does and 
I was wondering if the libraries that Tomcat needs are part of the standard 
OpenJDK distribution?

Thanks,

Mark Claassen
Senior Software Engineer

Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, IN  46601
E-mail: mailto:mclaas...@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014

Disclaimer:
The opinions provided herein do not necessarily state or reflect those of 
Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal 
liability or responsibility for the posting.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Running Tomcat 9 using OpenJDK 10

[Cheltenham, Chris]

Yes , I was able to start up tomcat 9.0.4 with the corresponding java.
One thing that was annoying was that $JAVA_HOME/jre/lib/security dorectory
has changes to $JAVA_HOME/lib/security.

Not a big deal but if you are using certs it is.

Now, the applications is used did not like java 9 , so I pulled back to
java 8_161.

But that's been my brief experiences with TCAT 9 and Java 9


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 


-Original Message-
From: Mark A. Claassen [mailto:mclaas...@ocie.net] 
Sent: Friday, March 2, 2018 11:03 AM
To: Tomcat Users List 
Subject: Running Tomcat 9 using OpenJDK 10

Has anyone tried running Tomcat 9 using OpenJDK 9 or 10?  I know the
OpenJDK releases don't have all the modules  (like JavaFX) that the Oracle
JDK does and I was wondering if the libraries that Tomcat needs are part
of the standard OpenJDK distribution?

Thanks,

Mark Claassen
Senior Software Engineer

Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, IN  46601
E-mail: mailto:mclaas...@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014

Disclaimer:
The opinions provided herein do not necessarily state or reflect those of
Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal
liability or responsibility for the posting.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Running Tomcat 9 using OpenJDK 10

[Mark A. Claassen]

Has anyone tried running Tomcat 9 using OpenJDK 9 or 10?  I know the OpenJDK 
releases don't have all the modules  (like JavaFX) that the Oracle JDK does and 
I was wondering if the libraries that Tomcat needs are part of the standard 
OpenJDK distribution?

Thanks,

Mark Claassen
Senior Software Engineer

Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, IN  46601
E-mail: mailto:mclaas...@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014

Disclaimer:
The opinions provided herein do not necessarily state or reflect
those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and
assumes no legal liability or responsibility for the posting.

embedded tomcat (8.5.28) classloading issues when adding another war file and classes can be resolved via that webapp classloader and the bootstrap classloader

[Torsten Krah]

Hi,

i am using an embedded tomcat to e.g. start my wicket application in my
IDE.
This works fine so far - the whole classpath used and provided by
IntelliJ is used.

But adding e.g. a war file via setWebapp to start some additional
webapps i am running into some issues with that war files.

The intellij classpath does provide e.g. hibernate and this is going to
resolve classes when loading entities via associations.

Hibernate was loaded using classloader A (bootstrap one) and it does
even resolve that association class with A where it should have used the
ParallelWebappClassloader from my war file first when getting a request
for that war file.

So this is going havoc because bootstrap classloader is asked first here
where it does find that class (embedded tomcat - no extra classloader
stuff done).

https://tomcat.apache.org/tomcat-8.5-doc/class-loader-howto.html

So how is this supposed to work in case i want to load additional war
files in an embedded tomcat - any best practices, docs known how to
"reproduce" such an isolated environment for an embedded tomcat?

So minimal example would be:

1. The bootstrap class with "new Tomcat()" is in my test classpath of my
webapp in the IDE and can run the webapp from "src/main/webapp" as usual
- which works so far (one big fat classpath ...).

2. I want to add a webapp from a war file in the same Tomcat() instance
- but here it gets messy with the classes.

Suggestions welcome :)

kind regards

Torsten

PS: In the "real" tomcat this is going to work because the bootstrap
classloader does not know that class at all there - where in the webapp
one this is "mixed".



smime.p7s
Description: S/MIME cryptographic signature

Re: intermittent connectivity failure under ssl

[Rémy Maucherat]

On Fri, Mar 2, 2018 at 4:19 PM, Alex O'Ree  wrote:

> Ran into a strange problem, not too sure what the problem is. Basically,
> I'm getting intermittent connectivity from a http client to tomcat but only
> through SSL using the Http11NioProtocol. Some http requests go through,
> others fail with the stack trace below. Usually, restarting tomcat fixes
> it, but it appears to be random and unpredictable. This is a bit of a major
> issue for me so any help is appreciated.
>
> Any pointers for how to troubleshoot this? Running tomcat 8.5.28.
>
> There's no tomcat logs to indicate that there's a problem. The following is
> logged on the client side:
>
> Caused by: java.net.SocketException: SocketException invoking
> https://localhost:8443/myproject/services/Endpoint1: Unexpected end of
> file from server
>
> 
>
> Caused by: java.net.SocketException: Unexpected end of file from server
> at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.
> java:792)
> at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> HttpURLConnection.java:1536)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:1441)
> at java.net.HttpURLConnection.getResponseCode(
> HttpURLConnection.java:480)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.
> getResponseCode(HttpsURLConnectionImpl.java:338)
> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$
> URLConnectionWrappedOutputStream.getResponseCode(
> URLConnectionHTTPConduit.java:266)
> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
> handleResponseInternal(HTTPConduit.java:1543)
> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.
> handleResponse(HTTPConduit.java:1513)
> at org.apache.cxf.transport.http.HTTPConduit$
> WrappedOutputStream.close(HTTPConduit.java:1318)
> ... 46 more
>

It's impossible to say without more information, but this could look like
an issue that is fixed in the next build.

Rémy

RE: tomcat 8.5.28

[Cheltenham, Chris]

All,

I am not sure is this out of scope with Tomcat's policies?


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 2, 2018 10:43 AM
To: Tomcat Users List 
Subject: RE: tomcat 8.5.28

Thanks My friend , I have tried that without success.


[root@cjc logs]# iptables -t nat -I PREROUTING -p tcp --dport 443 -j 
REDIRECT --to-port 8443 [root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused [root@cjc 
logs]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ] 
[root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused [root@cjc 
logs]# curl -k https://10.32.32.230:443
curl: (7) Failed connect to 10.32.32.230:443; Connection refused [root@cjc 
logs]#

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Johan Compagner [mailto:jcompag...@servoy.com]
Sent: Friday, March 2, 2018 10:23 AM
To: Tomcat Users List 
Subject: Re: tomcat 8.5.28

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443

then you can save the iptables so they stick after reboot:

sudo service iptables save


On 2 March 2018 at 15:08, Cheltenham, Chris 
wrote:

> Hello,
>
>
>
> Has anyone set up tomcat as a non-root use?
>
>
>
> I have set it up successfully however, I have to bound the non-root
> user to port 8443.
>
>
>
> What is the best way to reroute 8443 through 443?
>
> There are several options.
>
> Everything is set up at send to port 443 so I need to reroute 8443 in
> and out of 443
>
>
>
> CentOS 7 by the way –
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>



--
Johan Compagner
Servoy

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 8.5.28

[Cheltenham, Chris]

Thanks My friend , I have tried that without success.


[root@cjc logs]# iptables -t nat -I PREROUTING -p tcp --dport 443 -j 
REDIRECT --to-port 8443
[root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused
[root@cjc logs]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused
[root@cjc logs]# curl -k https://10.32.32.230:443
curl: (7) Failed connect to 10.32.32.230:443; Connection refused
[root@cjc logs]#

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Johan Compagner [mailto:jcompag...@servoy.com]
Sent: Friday, March 2, 2018 10:23 AM
To: Tomcat Users List 
Subject: Re: tomcat 8.5.28

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443

then you can save the iptables so they stick after reboot:

sudo service iptables save


On 2 March 2018 at 15:08, Cheltenham, Chris 
wrote:

> Hello,
>
>
>
> Has anyone set up tomcat as a non-root use?
>
>
>
> I have set it up successfully however, I have to bound the non-root
> user to port 8443.
>
>
>
> What is the best way to reroute 8443 through 443?
>
> There are several options.
>
> Everything is set up at send to port 443 so I need to reroute 8443 in
> and out of 443
>
>
>
> CentOS 7 by the way –
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>



--
Johan Compagner
Servoy

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.28

[Johan Compagner]

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443

then you can save the iptables so they stick after reboot:

sudo service iptables save


On 2 March 2018 at 15:08, Cheltenham, Chris 
wrote:

> Hello,
>
>
>
> Has anyone set up tomcat as a non-root use?
>
>
>
> I have set it up successfully however, I have to bound the non-root user
> to port 8443.
>
>
>
> What is the best way to reroute 8443 through 443?
>
> There are several options.
>
> Everything is set up at send to port 443 so I need to reroute 8443 in and
> out of 443
>
>
>
> CentOS 7 by the way –
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>



-- 
Johan Compagner
Servoy

RE: tomcat 8.5.28

[Cheltenham, Chris]

Thanks Andre.

People have nothing better to do I suppose.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Friday, March 2, 2018 9:49 AM
To: users@tomcat.apache.org
Subject: Re: tomcat 8.5.28

On 02.03.2018 15:41, Cheltenham, Chris wrote:
> Mark,
>
> Can you elaborate on what is going on there?
> What trolls?
> I don’t know what that means.

See : https://en.wikipedia.org/wiki/Internet_troll

>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
>
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: Friday, March 2, 2018 9:39 AM
> To: Tomcat Users List ; Olaf Kock
> 
> Subject: Re: tomcat 8.5.28
>
> On 02/03/18 14:30, Olaf Kock wrote:
>>
>>
>> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>>> What?
>>
>> don't feed the trolls ;)
>
> Better still, unsubscribe them :)
>
> Just a reminder to everyone that the list does have moderators and we
> can be reached directly at users-owner@... should you need our help.
>
> I have unsubscribed this particular user.
>
> Mark
>
>
>>
>>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
>>> Sent: Friday, March 02, 2018 9:08 AM
>>> To: 'Tomcat Users List' 
>>> Subject: tomcat 8.5.28
>>>
>>> Hello,
>>>
>>> Has anyone set up tomcat as a non-root use?
>>>
>>> I have set it up successfully however, I have to bound the non-root
>>> user to port 8443.
>>>
>>> What is the best way to reroute 8443 through 443?
>>> There are several options.
>>> Everything is set up at send to port 443 so I need to reroute 8443
>>> in and out of 443
>>>
>>> CentOS 7 by the way -
>> "what is the best (TM)?"
>> -> "It depends"
>>
>> Tomcat runs well on unprivileged ports, and depending on your OS,
>> familiarity with configuring it, other infrastructure etc, you have
>> different options. Are you familiar with them - as you mention that
>> there are many?
>>
>> You can
>> * use iptables redirection,
>> * have a proxy/webserver/loadbalancer in front,
>> * enable unprivileged binding to the port
>>
>> I default to the second option, because there's an Apache httpd or
>> another loadbalancer anyways, and it tended to be best documented
>> with regards to all of the specific SSL settings you might want to
>> have (the cipher-cocktail of the day), plus easily get LetsEncrypt certs.
>>
>> The others are valid as well - none is better, they're just different.
>>
>> As we were discussing documentation in another thread these days:
>> I've expected to find a solution to your question in the FAQ and
>> wanted to link to it - but didn't find any entry there. There's a
>> patch to go on my list, with no ETA though. Maybe a side-task during
>> that Manchester Tomcat training.
>>
>> Olaf
>>
>>
>>
>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

intermittent connectivity failure under ssl

[Alex O'Ree]

Ran into a strange problem, not too sure what the problem is. Basically,
I'm getting intermittent connectivity from a http client to tomcat but only
through SSL using the Http11NioProtocol. Some http requests go through,
others fail with the stack trace below. Usually, restarting tomcat fixes
it, but it appears to be random and unpredictable. This is a bit of a major
issue for me so any help is appreciated.

Any pointers for how to troubleshoot this? Running tomcat 8.5.28.

There's no tomcat logs to indicate that there's a problem. The following is
logged on the client side:

Caused by: java.net.SocketException: SocketException invoking
https://localhost:8443/myproject/services/Endpoint1: Unexpected end of
file from server



Caused by: java.net.SocketException: Unexpected end of file from server
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:792)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1536)
at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at 
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at 
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:266)
at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1543)
at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1513)
at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
... 46 more

Re: tomcat 8.5.28

[tomcat]

On 02.03.2018 15:41, Cheltenham, Chris wrote:

Mark,

Can you elaborate on what is going on there?
What trolls?
I don’t know what that means.


See : https://en.wikipedia.org/wiki/Internet_troll




===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, March 2, 2018 9:39 AM
To: Tomcat Users List ; Olaf Kock

Subject: Re: tomcat 8.5.28

On 02/03/18 14:30, Olaf Kock wrote:



On 02.03.2018 15:22, Cheltenham, Chris wrote:

What?


don't feed the trolls ;)


Better still, unsubscribe them :)

Just a reminder to everyone that the list does have moderators and we can be
reached directly at users-owner@... should you need our help.

I have unsubscribed this particular user.

Mark





From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' 
Subject: tomcat 8.5.28

Hello,

Has anyone set up tomcat as a non-root use?

I have set it up successfully however, I have to bound the non-root
user to port 8443.

What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in
and out of 443

CentOS 7 by the way -

"what is the best (TM)?"
-> "It depends"

Tomcat runs well on unprivileged ports, and depending on your OS,
familiarity with configuring it, other infrastructure etc, you have
different options. Are you familiar with them - as you mention that
there are many?

You can
* use iptables redirection,
* have a proxy/webserver/loadbalancer in front,
* enable unprivileged binding to the port

I default to the second option, because there's an Apache httpd or
another loadbalancer anyways, and it tended to be best documented with
regards to all of the specific SSL settings you might want to have
(the cipher-cocktail of the day), plus easily get LetsEncrypt certs.

The others are valid as well - none is better, they're just different.

As we were discussing documentation in another thread these days: I've
expected to find a solution to your question in the FAQ and wanted to
link to it - but didn't find any entry there. There's a patch to go on
my list, with no ETA though. Maybe a side-task during that Manchester
Tomcat training.

Olaf






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 8.5.28

[Cheltenham, Chris]

Mark,

Can you elaborate on what is going on there?
What trolls?
I don’t know what that means.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, March 2, 2018 9:39 AM
To: Tomcat Users List ; Olaf Kock 

Subject: Re: tomcat 8.5.28

On 02/03/18 14:30, Olaf Kock wrote:
>
>
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> What?
>
> don't feed the trolls ;)

Better still, unsubscribe them :)

Just a reminder to everyone that the list does have moderators and we can be 
reached directly at users-owner@... should you need our help.

I have unsubscribed this particular user.

Mark


>
>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM
>> To: 'Tomcat Users List' 
>> Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the non-root
>> user to port 8443.
>>
>> What is the best way to reroute 8443 through 443?
>> There are several options.
>> Everything is set up at send to port 443 so I need to reroute 8443 in
>> and out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?"
> -> "It depends"
>
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you have
> different options. Are you familiar with them - as you mention that
> there are many?
>
> You can
> * use iptables redirection,
> * have a proxy/webserver/loadbalancer in front,
> * enable unprivileged binding to the port
>
> I default to the second option, because there's an Apache httpd or
> another loadbalancer anyways, and it tended to be best documented with
> regards to all of the specific SSL settings you might want to have
> (the cipher-cocktail of the day), plus easily get LetsEncrypt certs.
>
> The others are valid as well - none is better, they're just different.
>
> As we were discussing documentation in another thread these days: I've
> expected to find a solution to your question in the FAQ and wanted to
> link to it - but didn't find any entry there. There's a patch to go on
> my list, with no ETA though. Maybe a side-task during that Manchester
> Tomcat training.
>
> Olaf
>
>
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.28

[Mark Thomas]

On 02/03/18 14:30, Olaf Kock wrote:
> 
> 
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> What?
> 
> don't feed the trolls ;)

Better still, unsubscribe them :)

Just a reminder to everyone that the list does have moderators and we
can be reached directly at users-owner@... should you need our help.

I have unsubscribed this particular user.

Mark


> 
>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM
>> To: 'Tomcat Users List' 
>> Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the non-root user
>> to port 8443.
>>
>> What is the best way to reroute 8443 through 443?
>> There are several options.
>> Everything is set up at send to port 443 so I need to reroute 8443 in and
>> out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?"
> -> "It depends"
> 
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you have
> different options. Are you familiar with them - as you mention that
> there are many?
> 
> You can
> * use iptables redirection,
> * have a proxy/webserver/loadbalancer in front,
> * enable unprivileged binding to the port
> 
> I default to the second option, because there's an Apache httpd or
> another loadbalancer anyways, and it tended to be best documented with
> regards to all of the specific SSL settings you might want to have (the
> cipher-cocktail of the day), plus easily get LetsEncrypt certs.
> 
> The others are valid as well - none is better, they're just different.
> 
> As we were discussing documentation in another thread these days: I've
> expected to find a solution to your question in the FAQ and wanted to
> link to it - but didn't find any entry there. There's a patch to go on
> my list, with no ETA though. Maybe a side-task during that Manchester
> Tomcat training.
> 
> Olaf
> 
> 
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.28

[Olaf Kock]

On 02.03.2018 15:22, Cheltenham, Chris wrote:

What?


don't feed the trolls ;)


From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' 
Subject: tomcat 8.5.28

Hello,

Has anyone set up tomcat as a non-root use?

I have set it up successfully however, I have to bound the non-root user
to port 8443.

What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in and
out of 443

CentOS 7 by the way -

"what is the best (TM)?"
-> "It depends"

Tomcat runs well on unprivileged ports, and depending on your OS, 
familiarity with configuring it, other infrastructure etc, you have 
different options. Are you familiar with them - as you mention that 
there are many?


You can
* use iptables redirection,
* have a proxy/webserver/loadbalancer in front,
* enable unprivileged binding to the port

I default to the second option, because there's an Apache httpd or 
another loadbalancer anyways, and it tended to be best documented with 
regards to all of the specific SSL settings you might want to have (the 
cipher-cocktail of the day), plus easily get LetsEncrypt certs.


The others are valid as well - none is better, they're just different.

As we were discussing documentation in another thread these days: I've 
expected to find a solution to your question in the FAQ and wanted to 
link to it - but didn't find any entry there. There's a patch to go on 
my list, with no ETA though. Maybe a side-task during that Manchester 
Tomcat training.


Olaf






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 8.5.28

[Cheltenham, Chris]

What?

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 


-Original Message-
From: THOMAS, NEFERTA C [mailto:nt1...@att.com] 
Sent: Friday, March 2, 2018 9:16 AM
To: Tomcat Users List 
Cc: ccheltenham-...@philasd.org
Subject: RE: tomcat 8.5.28

Please paused on all your attempts none of this sounds above board so many
issues and no one has a point of contact to talk to or  whom to  I should
go to please don't proceed until I have spoken to a software specialist.




From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' 
Subject: tomcat 8.5.28

Hello,

Has anyone set up tomcat as a non-root use?

I have set it up successfully however, I have to bound the non-root user
to port 8443.

What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in and
out of 443

CentOS 7 by the way -


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 8.5.28

[THOMAS, NEFERTA C]

Please paused on all your attempts none of this sounds above board so many 
issues and no one has a point of contact to talk to or  whom to  I should go to 
please don't proceed until I have spoken to a software specialist.




From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' 
Subject: tomcat 8.5.28

Hello,

Has anyone set up tomcat as a non-root use?

I have set it up successfully however, I have to bound the non-root user to 
port 8443.

What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in and out 
of 443

CentOS 7 by the way -


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

tomcat 8.5.28

[Cheltenham, Chris]

Hello,

 

Has anyone set up tomcat as a non-root use?

 

I have set it up successfully however, I have to bound the non-root user
to port 8443.

 

What is the best way to reroute 8443 through 443?

There are several options.

Everything is set up at send to port 443 so I need to reroute 8443 in and
out of 443

 

CentOS 7 by the way -

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

RE: Security of AJP

[Cheltenham, Chris]

Everyone,

As far as documentation.
We realize it is very difficult to write open source docs because there
are so many different scenarios that will work for a given customer's
environment.

Possibly if you declare your audience , that would help.
Possibly if you specify minimum knowledge requirements , that would help.

To me , if there is no declaration of whom you are speaking to; then its
written for the general populous.



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-Original Message-
From: Mark A. Claassen [mailto:mclaas...@ocie.net]
Sent: Thursday, March 1, 2018 11:20 AM
To: Tomcat Users List 
Subject: RE: Security of AJP

Thanks everyone for your feedback.  I am the one who unknowingly opened
this can of worms. :)

It seems like there is a bit of momentum for altering the documentation,
so I thought I would offer something that incorporated some of these
suggestions.  I left out the part about "why" one would use a reverse
proxy.  Maybe it should be referenced here, but that is seems like
something a higher level topic that might be more appropriate somewhere
else.  (If it doesn't fit anywhere else either, I can add it back.)

---

The AJP Connector element represents a Connector component that
communicates with a HTTP server via the AJP protocol.  This is an
unencrypted protocol and is therefore recommended for use on a protected
network or encrypted by some other means, like SSH tunneling.  The most
common configuration for this is when an HTTP server acts as a reverse
proxy in front of one or more Tomcat servers.  Besides being a more
efficient protocol that HTTP, there are several configuration options in
this connector designed to allow Tomcat to operate as it would if it were
not running behind a reverse proxy.

---

Mark Claassen
Senior Software Engineer

Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, IN  46601
E-mail: mailto:mclaas...@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014

Disclaimer:
The opinions provided herein do not necessarily state or reflect those of
Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal
liability or responsibility for the posting.
-Original Message-
From: Terence M. Bandoian [mailto:tere...@tmbsw.com]
Sent: Thursday, March 1, 2018 8:34 AM
To: Tomcat Users List 
Subject: Re: Security of AJP

On 2/28/2018 10:16 AM, Mark H. Wood wrote:
> On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Chris,
>>
>> On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
>>> Since AJP is not really needed by Tomcat; If I comment out the AJP
>>> startup line in server.xml will that affect anything.
>>>
>>> I still don't even understand what its for. I have read the apache
>>> docs but it doesn't mean anything to me.. Apache's description
>>> doesn't tell me anything.
>>>
>>>
>>> The AJP Connector element represents a Connector component that
>>> communicates with a web connector via the AJP protocol. This is used
>>> for cases where you wish to invisibly integrate Tomcat into an
>>> existing (or new) Apache installation, and you want Apache to handle
>>> the static content contained in the web application, and/or utilize
>>> Apache's SSL processing.
>>>
>>> That is mumbo jumbo.
>> Is it?
> Well, it could be improved.  For example, by using the
> widely-understood word "proxy" somewhere, or defining "web connector".
> Also by recalling that "Apache" is a huge array of various projects
> (including Tomcat!), while "Apache HTTP Server" refers to a specific
> web server daemon that can front-end Tomcat.  One could even link
> "Apache HTTP Server" to 'http://httpd.apache.org/'.
>

+1.  Maybe "...communicates with an HTTP server via..." in the first
sentence?  Also, the second sentence could be greatly simplified.

-Terence Bandoian


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it possible and how

[tomcat]

On 02.03.2018 10:15, M. Osama Alghwell wrote:

Hi,

sorry for the mistake about the Tomcat, it is 5.4


Mmm. That sounds like a bootlegged, pre-release, and probably illegal version.

[...]


I am
thinking to move it to Linux platform, because I am better with Linux and I
think Java is more smoother with Linux.


Definitely.
According to this : 
http://www.linuxandubuntu.com/home/top-8-linux-distributions-of-2016
"Fedora - Bleeding Edge" is the smoothest of all.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is it possible and how

[M. Osama Alghwell]

Hi,

sorry for the mistake about the Tomcat, it is 5.4
Thank you for the guidance I will send if I will face any obstacles. Even
though, I tried to do migration from old windows and MS SQL to new one but
I faced with a lot of error messages and I couldn't complete it. I am
thinking to move it to Linux platform, because I am better with Linux and I
think Java is more smoother with Linux.
Any hint would be appreciated very much.

Thank you

On Wed, Feb 28, 2018 at 7:34 PM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:

> > From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> > Subject: Re: Is it possible and how
>
> > On 2/28/18 11:12 AM, M. Osama Alghwell wrote:
> > > I have a Java application that run on windows and using to Tomcat
> > > (unfortunately it is Tomcat 4.5 and I an assigned to upgrade it).
>
> There was no Tomcat 4.5; 4.1, 5.0, and 5.5 were released, many years ago.
>
> > > Is it possible to move to Linux platform? and is it possible to
> > > jump to Tomcat 8.x? what action should be taken?
>
> > While that sounds like a big jump (Windows -> Linux, Tomcat 4.x ->
> > 8.x), it shouldn't be a *huge* change. You'll also need a Java upgrade
> > as well, of course (Tomcat 8 requires Java 7 or later; I recommend
> > Java 8).
>
> Reading the migration guides would also be useful, although they don't go
> all the way back to Tomcat 4:
> http://tomcat.apache.org/migration.html
>
>   - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>


-- 
*M. Osama Alghwell*